tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vijay <>
Subject clear text keystore password in server.xml
Date Fri, 27 Aug 2010 09:41:23 GMT
         I am looking to secure the keystore password that is stored as
clear text in server.xml.
Looking at the various online forums, here are the suggested options I came

   1. Restrict the access permissions of server.xml so that only the
   administrator is able to access server.xml
   2. Do not save the keystore password in server.xml. Instead use the
   system property"clear text keystore
   password" to pass the password to tomcat. [this is available in Tomcat
   5.5.29 onwards <>

Problem with both the approaches is that the password is in clear text and
we deem it as a potential security risk.

I am looking for a way to use only encrypted passwords.

I am looking to write a wrapper class that decrypts the password passed as
an environment variable to tomcat, and then sets the system property inside the JVM itself.

Something in the lines of :

public class WrapperTomcatBootstrap {

    public static void main(String args[]) {
        String encryptedKeystorePassword =
        if(encryptedKeystorePassword != null) {
            String decryptedPassword =

For some reason this doesnt seem to work. Tomcat is listening on both
http/https mode, requests to http port are getting redirected to the https
port.. but no web pages are being served. Nothing in the logs too :(

   - Are there an problems with the approach above ?
   - Is there a better way to work with encrypted passwords?

The tomcat version I am using is 5.5.30

Thanks in advance for any pointers/ suggestions in this direction!

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message